Malicious PDF — malware analysis report

Static analysis result for SHA-256 9786161e49fc6a16…

MALICIOUS

PDF

7.3 KB Created: 2013-04-02 01:29:11
MD5: cf6b68ced73455a9c6c55b9ade0c0ee0 SHA-1: b1d653cd6faef8f526a736c30d355adcaff28937 SHA-256: 9786161e49fc6a16535017975af793c85680275fd17978c45dca0e3f36b154c8
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded file, identified as a potential script payload. The ML classifier strongly indicates maliciousness. The document body, though truncated, contains text that appears to be part of a lure, suggesting an attempt to trick the user into interacting with the embedded content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
1a7c9c4fa54c3d1bfb6ab4c581b3e3570db17256fbecb77b1e7f992a74b4ac2e		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x97D 7899 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.